Local Information - Detected Port Scans

The way this information is being collected is going through considerable change and there has been a lack of updates recently. We are in the process of bringing you a live and searchable database being updated by multiple Intrusion Detection Sensors. This will cover a much wider area and also give a more realistic analysis of scans.

You may ask, what is the purpose of this page? RHP Studios would like to show you the types of scans we receive, along with our clients, on a regular basis so that other businesses/individuals can modify their firewalls accordingly. The type of information we are going to include is useful to those who manage firewalls. This information has been pulled from firewall logs, portsentry, snort, and tcp dumps. Those pulled from Portsentry are automatically blocked and the count will remain at 1.

The IP addresses identified in "Originating IP" can easily be spoofed. You can block access at the firewall/router by IP address or filter the access to the port/service. The IP information is only included to differentiate between "mass port scans" and "targeted port scans" since each port scan is logged once per occurrence. A mass port scan targets entire ranges of networked computer systems whereas a targeted port scan would target only one individual computer. This information also shows that when a new vulnerability is found, within hours the scans for these vulnerabilities start and continue regularly for some time.

If you are the owner of one of the originating IP addresses that is static, and you feel this information is in error, please notify RHP Studios immediately via the contact link. This could indicate that someone other than you "Owns" your computer. These IP addresses have shown up on more than 1 system in which we manage and feel that the information is therefore accurate.

Security is vigilance.

Date

Time (GMT)

Type/Service

Count

Port

Originating IP

2001-03-27

12:32:33

RPC

1

111

202.96.137.37

2001-03-27

15:25:46

RPC

1

111

148.204.184.84

2001-03-28

00:55:05

FTP

2

21

128.121.2.138

2001-03-28

08:51:28

FTP

1

21

64.92.132.5

2001-03-28

13:40:45

RPC

1

111

24.240.212.131

2001-03-28

13:48:59

RPC

1

111

195.192.90.253

2001-03-28

18:25:37

DNS

1

53

207.228.250.34

2001-03-28

19:36:36

SOCKS

2

1080

64.40.50.30

2001-03-28

19:37:51

UDP

2

2511

64.40.50.30

2001-03-29

09:34:11

SMTP

2

25

65.33.41.221

2001-03-29

12:11:55

FTP

3

21

213.51.156.67

2001-03-30

08:26:50

TCP OS fingerprint

1

53

210.97.122.129

2001-03-30

19:15:18

DNS

2

53

210.204.3.1

2001-03-30

21:03:15

RPC

1

111

203.255.3.232

2001-03-31

01:29:13

SOCKS

3

1080

210.205.51.86

2001-03-31

01:44:34

DNS

2

53

139.130.214.208

2001-03-31

11:56:30

TCP OS fingerprint

1

6635

210.255.128.58

2001-03-31

21:06:20

RPC

1

111

211.184.80.129

2001-03-31

21:10:54

RPC

1

111

211.52.82.72

2001-03-31

21:29:37

SubSeven port probe

4

27374

24.141.86.143

2001-03-31

22:00:09

RPC

1

111

166.104.203.177

2001-04-01

03:06:30

FTP

3

21

207.91.104.3

2001-04-01

03:07:49

UDP

5

1285

207.91.104.3

2001-04-01

05:19:48

FTP

3

21

24.94.0.75

2001-04-01

15:59:52

SOCKS

2

1080

206.102.214.17

2001-04-02

05:11:51

SMTP

4

25

128.121.2.138

2001-04-02

05:13:06

UDP

10

1285

128.121.2.138

2001-04-02

08:17:45

DNS

3

53

211.4.245.19

2001-04-02

09:39:38

DNS

2

53

203.232.107.151

2001-04-02

13:54:40

TCP Port Probe

2

1008|10008

24.132.83.152

2001-04-02

15:02:43

SubSeven port probe

4

27374

24.112.184.248

2001-04-02

16:15:58

SubSeven port probe

2

27374

66.24.209.104

2001-04-02

16:37:00

NetBus port probe

4

12345

64.229.53.129

2001-04-02

18:33:55

TCP

2

515

195.86.248.76

2001-04-02

18:40:19

SubSeven port probe

4

27374

24.64.248.139

2001-04-02

18:49:01

TCP

1

515

202.70.24.24

2001-04-02

19:06:59

SubSeven port probe

1

27374

24.188.217.161

2001-04-02

20:01:42

TCP port probe

3

18207

24.185.21.71

2001-04-02

21:27:19

TCP port probe

4

18207

212.119.172.130

2001-04-02

21:39:56

TCP port probe

6

18207

209.222.190.56

2001-04-03

01:40:50

RPC TCP port probe

1

111

211.184.149.130

2001-04-03

03:01:54

TCP port probe

1

515

202.105.50.210

2001-04-03

14:31:53

RPC TCP port probe

2

111

192.153.157.239

2001-04-03

17:41:06

TCP port probe

3

515

4.3.82.190

2001-04-03

17:42:59

TCP port probe

1

515

64.105.23.170

2001-04-03

19:23:58

SubSeven port probe

1

27374

24.183.60.127

2001-04-04

00:00:53

RPC TCP port probe

1

111

210.115.127.15

2001-04-04

16:25:27

TCP port probe

2

515

4.3.82.190

2001-04-04

21:08:38

TCP port probe

4

12256

24.241.6.80

2001-04-04

21:14:12

TCP port probe

4

12256

206.141.203.78

2001-04-04

23:55:33

RPC TCP port probe

1

111

209.15.190.85

2001-04-05

05:59:05

RPC TCP port probe

2

111

216.223.48.52

2001-04-05

05:59:06

DNS TCP port probe

2

52

216.223.48.52

2001-04-05

06:24:29

SubSeven port probe

2

27374

24.183.188.45

2001-04-05

06:32:34

TCP port probe

2

515

140.112.175.56

2001-04-05

06:32:47

RPC TCP port probe

2

111

211.111.144.206

RHPS New IDS Server Reports

Beginning the 2nd week of April 2001, we implemented a new test Intrusion Detection System running on our RHPSecure Linux Operating System. We will post updates here, complete with packet header captures, tcp dumps, and related information.